Brazil's Autoridade Nacional de Proteção de Dados (ANPD) entered active enforcement mode in 2024, issuing its first major fines under the Lei Geral de Proteção de Dados (LGPD) — Law No. 13,709/2018. With 215 million Brazilians covered by the framework and Brazil hosting the largest digital economy in Latin America (180 million internet users), LGPD compliance is now an enforcement reality, not a future concern.
LGPD: Brazil's GDPR with Brazilian-Specific Provisions
LGPD was modeled on GDPR but includes provisions that differ significantly in scope and application:
Maximum fines: 2% of Brazilian annual revenue (not global revenue), up to R$50 million (≈€9M) per violation. Unlike GDPR's 4% global revenue cap, LGPD's Brazil-revenue basis creates lower maximum penalties for multinational companies — but higher relative exposure for Brazil-only businesses.
Sensitive data categories: LGPD's sensitive data categories closely mirror GDPR Article 9 but add specific provisions for racial/ethnic origin, political opinion, religious belief, health data, genetic data, biometric data, and — notably — sexual orientation and sex life. The ANPD's 2024 guidance extended sensitive data protections to LGPD Article 11's consent requirement for any processing of sensitive data.
Data subject rights: Similar to GDPR — access, correction, anonymization, portability, deletion, and information about data sharing. Brazil's LGPD adds a specific right to know if AI was used in data processing decisions.
ANPD's enforcement start: First formal sanctions issued in 2024. Telecoms, financial services, and healthcare organizations were the primary enforcement targets. The ANPD has signaled that multinational companies operating in Brazil will be a 2025 focus.
Brazilian PII Identifiers: The Detection Challenge
Brazil's national identification system is more complex than most EU countries — partially because Brazil is a federal republic where identification systems vary by state of issuance for some documents.
CPF (Cadastro de Pessoas Físicas): 11-digit individual taxpayer registration number, format XXX.XXX.XXX-XX, with two check digits validated using specific modular arithmetic. The CPF is Brazil's primary universal identifier — used for banking, employment, tax, healthcare, and government services. All 215 million Brazilians have a CPF.
CNPJ (Cadastro Nacional da Pessoa Jurídica): 14-digit company registration number, format XX.XXX.XXX/XXXX-XX, with two check digits. Appears alongside personal data of company representatives in business documents.
RG (Registro Geral): State-issued civil identity document. Critically: RG format varies by state of issuance. São Paulo's RG format differs from Rio de Janeiro's, which differs from Minas Gerais's, and so on across 26 states + Federal District. A PII tool that only recognizes one state's RG format misses the majority of Brazilian RG numbers in documents from other states.
CNH (Carteira Nacional de Habilitação): 11-digit driver's license number with check digit.
Título de Eleitor: 12-digit voter registration number encoding geographic information about the voter's registration zone.
PIS/PASEP: 11-digit social integration program number used in employment records and payroll.
SUS number (Cartão SUS): 15-digit number assigned to every Brazilian for the unified health system — appears in all healthcare documents.
LGPD vs. GDPR: Key Differences for Brazilian-European Organizations
Organizations operating under both LGPD and GDPR face important differences:
Legal bases for processing: LGPD provides 10 legal bases (compared to GDPR's 6), including "legitimate interest," "protection of health," and "protection of credit" — the last being unique to LGPD and reflecting Brazil's fintech-driven credit culture.
No adequacy mechanism for Brazil: The EU has not granted Brazil an adequacy decision. EU-Brazil data transfers require Standard Contractual Clauses or binding corporate rules — the same mechanism required for transfers to the US or other non-adequate countries.
Brazilian consent requirements: LGPD requires consent to be specific, informed, unambiguous, and freely given — similar to GDPR. However, LGPD allows consent for sensitive data to be broader than GDPR's requirement for explicit consent for each specific purpose, provided the purpose is clearly communicated.
ANPD's 2025 Enforcement Focus
Based on ANPD's published enforcement priorities and 2024 investigation outcomes:
Healthcare data: LGPD Article 11 requires explicit consent or specific legal basis for health data processing. ANPD found multiple healthcare providers and health apps lacking adequate legal basis for processing SUS numbers and medical records.
Financial services: CPF numbers in financial documents — loan applications, credit reports, insurance policies — are primary enforcement targets. ANPD is auditing whether financial institutions' data retention policies align with documented purposes.
Tech platform compliance: International tech platforms (social media, e-commerce, streaming services) operating in Brazil are ANPD's 2025 focus, particularly for profiling practices and cross-border data transfers.
For organizations processing Brazilian personal data: CPF and CNPJ detection with validated check digits is the technical baseline. Adding RG detection with state-specific format recognition, CNH, Título de Eleitor, and SUS number support provides comprehensive LGPD-compliant coverage of Brazilian PII.
Sources: